From dde401d134dab79ed3366a40388b9b834fb8307a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?V=C3=A1clav=20Van=C4=8Dura?= <commit@vancura.dev>
Date: Wed, 22 Jan 2025 15:48:00 +0100
Subject: [PATCH] Actor: Update Docker configuration for improved security
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Add `ACTOR_PATH_IN_DOCKER_CONTEXT` argument to ignore the Apify-tooling related warning.
- Improve readability with consistent formatting and spacing in RUN commands.
- Enhance security by properly setting up appuser home directory and permissions.
- Streamline directory structure and ownership for runtime operations.
- Remove redundant `.apify` directory creation as it's handled by the CLI.

Signed-off-by: Václav Vančura <commit@vancura.dev>
---
 .actor/Dockerfile | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/.actor/Dockerfile b/.actor/Dockerfile
index ae520b39..ec81dedf 100644
--- a/.actor/Dockerfile
+++ b/.actor/Dockerfile
@@ -1,3 +1,5 @@
+ARG ACTOR_PATH_IN_DOCKER_CONTEXT
+
 FROM python:3.11-slim-bookworm
 
 LABEL maintainer="Vaclav Vancura <@vancura>"
@@ -7,23 +9,30 @@ LABEL version="1.0.0"
 RUN groupadd -r appuser && useradd -r -g appuser -s /sbin/nologin appuser && \
     \
     apt-get update && apt-get install -y --no-install-recommends bash curl file git gpg jo jq procps xz-utils && \
+    \
     mkdir -p /etc/apt/keyrings && \
     curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg && \
     echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_20.x nodistro main" | tee /etc/apt/sources.list.d/nodesource.list && \
+    \
     apt-get update && apt-get install -y nodejs && apt-get clean && \
+    \
     rm -rf /var/lib/apt/lists/* && \
     \
     pip install --no-cache-dir --upgrade pip && \
     pip install --no-cache-dir docling==2.15.1 && \
+    \
     npm install -g npm@latest && \
     npm install -g apify-cli && \
-    npm cache clean --force
+    npm cache clean --force && \
+    \
+    mkdir -p /home/appuser && \
+    chown -R appuser:appuser /home/appuser
 
 WORKDIR /app
 
-RUN mkdir -p /tmp/runtime-root /home/appuser/.apify && \
+RUN mkdir -p /tmp/runtime-root && \
     chmod 0700 /tmp/runtime-root && \
-    chown -R appuser:appuser /tmp/runtime-root /home/appuser/.apify
+    chown -R appuser:appuser /tmp/runtime-root /app
 
 COPY --chown=appuser:appuser .actor/ .actor/
 COPY --chown=appuser:appuser . .